Method for maintaining differentiated services data flow at a network device implementing redundant packet discard security techniques

ABSTRACT

An improved method is described for providing Differentiated Services (Diffserv) traffic to a node in a network that implements a security method that discards duplicate packets received at the node. The method includes the step of identifying at least two service levels to be provided to received traffic and assigning different size look-back window counts to each of the service levels. The look-back window count indicates a number of packets that have been previously received at the node that should be compared against a received packet to determine whether a duplicate packet has been received. In one embodiment, a service level that has higher priority is assigned a lower look-back window count and thus examines fewer previously received packets than a service level having a lower priority. Such an arrangement reduces the possibility that traffic having higher priority is dropped as a security measure.

FIELD OF THE INVENTION

This invention relates generally to the field of networking and, morespecifically, to the method for supporting quality of service issues ina secure network environment.

BACKGROUND OF THE INVENTION

As is known in the art, data is transferred between nodes over theInternet in the form of packets or datagrams. A packet typicallyconsists of a header portion and a data portion. The data portioncomprises a number of bytes or octets of data. There may be any minimumnumber of bytes in the data portion of the packet, but typical protocolsalso ensure that there is a maximum number of bytes of data that aretransferred between each packet header. Because packets may betransmitted through different routes in the network to a destinationnode, they may reach the destination node out of order. Under theTransmission Control Protocol (TCP)/IP protocol and other protocols asequence number is assigned to each packet to enable the destinationnode to restore the order of packets in the data transmission.

Referring now to FIG. 1, an exemplary definition of fields of anInternet Protocol (IP) packet header includes a number of fields thatcontrol how the data associated with the header is to be treated at asource and destination node. Exemplary fields include the source address12 j and the destination address 12 k, which include the IP addresses ofthe communicating nodes. In addition, the IP header includes a versionfield 12 a which identifies which version of the IP protocol should beused when parsing the IP header, and a protocol field 12 h whichidentifies what other protocols are layered on top of the IP protocol.For example, certain protocols such as Transmission Control Protocol(TCP) include their own header, and the encoding of the TCP protocol inthe protocol field alerts the destination node to interpret a portion ofthe data as a TCP header.

Another field in the IP header is the Type Of Service (TOS) field 12 m.In the IP protocol, the TOS identifies the quality of service thatshould be afforded a given transmission between the identified sourceand destination nodes. For example, the field may be encoded to indicatea relative priority of the transmission; high priority transmissionswould be given precedence over low priority transmissions at each of thesource and destination nodes.

In version IPv4 and IPv6 of the IP protocol a replacement header field,called the Differentiated Services Code (DSC) field 13, is defined,which supersedes the definition of the IP TOS octet. DifferentiatedServices (generally referred to as Diffsery by the art), enablesdifferent Per Hop Behaviors (PHBs) to be experienced at different nodesfor different types of traffic. Traffic having a certain type of per hopbehavior are said to belong to a particular behavior aggregate. Diffserythus allows a network subscriber to control the quality of service (QOS)that is associated with their traffic by entering into a service levelagreement to obtain the desired behavior of traffic at certain nodes.Generally speaking, there is a correlation between the value in the DSCfield and the per hop behavior desired for the data encapsulated in thedata field of the corresponding packet, and the per hop behavior is themeans by which a node allocates resources to the behavior aggregate.There can be a variety of different types of traffic between a commonsource and destination, each of which may have different per hopbehaviors and therefore each of which has different access rights to theresources (buffers, etc.) of the destination node.

While there are many possible per hop behaviors, certain per hopbehaviors have been defined in the art. These per hop behaviors includeBest Effort Forwarding (BE), Assured Forwarding (AF) and ExpeditedForwarding (EF).

Best Effort (BE) per hop behavior is the default per hop behavior ofDiffserv. BE behavior aggregate packets may be sent into a networkwithout adhering to any particular rules and the network will deliver asmany of these packets as possible and as soon as possible, subject toother resource policy constraints. The reasonable implementation of thisper hop behavior would be to forward packets in this aggregate wheneverthe output link is not required to satisfy another per hop behavior. Areasonable policy for constructing services ensures that the behavioraggregate was not starved by allowing some accesses to the resources.

Traffic that is forwarded as part of the Assured Forwarding (AF)behavior aggregate is forwarded with a high probability that it willreach the destination node as long as the aggregate traffic from eachsite does not exceed a subscribed threshold. For example, in a typicalapplication, a company uses the Internet to interconnect itsgeographically distributed sites and wants an assurance that IP packetswithin this intranet are forwarded with high probability as long as theaggregate traffic from each site does not exceed the subscribedinformation rate (profile). Different levels of Assured Forwarding (AF)PHB group behavior may be offered by a service provider to meet therequired bandwidth and cost associated with the customer.

Expedited Forwarding provides the highest priority per hop behavior. Theintent of the Expedited Forwarding PHB is to provide a building blockfor low loss, low jitter and low delay services. The dominant causes ofdelay in packet network are set propagation delays in wide area linksand tuning delay in switching and routers. Since propagation delays area set property of the topology, delay can be minimized when queuingdelays are minimized. The intent of the expedited forwarding per hopbehavior is to provide a behavior in which suitably marked packetsusually encounter short or empty queues. If queues remain short relativeto buffer space available, packet loss is also kept to a minimum. Anadditional characteristic that may be EF or AF PHBs requirement is thatthe data packets often must be received in the order that they aretransmitted.

A protocol that may be layered on top of the IP protocol is the InternetProtocol Security (IPsec) protocol. Internet Protocol Security (IPsec)is a security protocol that provides security services at the IP layerby enabling a system to select required security protocols, determinethe algorithm(s) to use for services, and put in place any cryptographickeys required to provide the requested services. IPsec can be used toprotect one or more paths between a pair of hosts, between a pair ofsecure gateways, or between a security gateway and a host. The set ofsecurity services that IPsec can provide include access control,connectionless integrity, data origin authentication, limited trafficflow confidentiality, and the rejection of replayed packets (a form ofpartial sequence integrity).

One element of the IPsec protocol is the use of the AuthenticationHeader (AH) 14. as shown in FIG. 2. The IP Authentication Header is usedto provide connectionless integrity and data origin authentication forIP datagrams, and to provide protection against replays. AH offers ananti-replay (partial sequence integrity) service at the discretion ofthe receiver, to help counter denial of service (DoS) attacks. A DoSattack is a type of attack on a network that is designed to bring thenetwork to its knees by flooding it with useless traffic. Many DoSattacks, such as the Ping of Death and Teardrop attacks, exploitlimitations in the TCP/IP protocols. The anti-replay mechanism seeks toovercome DoS attacks by assigning examining sequence number 15 d ofreceived packets, and dropping any packets having duplicate sequencenumbers within a predefined window of time. As shown in FIG. 2, thesequence number 15 d comprises 32 bits, and is used as a counter for thedata packets associated with the secure transmission. Typicalimplementations do not allow duplicate sequence numbers to appear withina thirty two bit window, and therefore use five bits of the counter,before resetting to provide a new sequence number. In order to preventDoS attacks, the anti-replay mechanism deletes packets having duplicatesequence numbers within the thirty-two packet window.

Referring now to FIG. 3, an exemplary Diffsery data flow is shown,wherein the IP packets may have layered thereon an Authentication Headerfor IPsec purposes, including sequence numbers. A first traffic streamis shown to include packets A1, A2 and A3, and a second traffic streamis shown to include packets B1, B2, B3. Source node 20 transmits bothtraffic streams to destination node 30. In the example of FIG. 3, assumethat data transmission A, comprising packets A1, A2 and A3 are packetscomprising the BE PHB aggregate, and transmission B, comprising packetsB1, B2 and B3 are packets comprising an EF PHB aggregate. Source node 20initiates the transmission of traffic stream A over the Internet 25 byforwarding packets A1 and A2 to destination node 30. As the packets aretransmitted, they are assigned sequence numbers 1 and 2 respectively.Subsequent to the transmission of packets A1 and A2, data trafficbelonging to the Expedited Forwarding per hop behavior aggregate isreceived at the source node 20. To implement the EF PHB for trafficstream B, the source node immediately substitutes the traffic stream Bin its transmissions to destination node 30. Packet B1 is assignedsequence number 1, packet B2 is assigned sequence number 2, and packetB3 is assigned sequence number 3, and all packets are forwarded to thedestination node. Following the transmission of packet B3 to thedestination node, the final packet A3 of the first transmission can beforwarded to the destination node. Within a four packet transmissionperiod, two packets have identical sequence numbers (packet A1 and B1have matching sequence number 1, and packets A2 and B2 have matchingsequence number 2). Typically the destination node will look to othercharacteristics of the packet, such as protocol, the DSC fields, andother identifying elements to arrange the appropriate packets with theappropriate transmission streams.

A problem arises, however, at the destination node due to theanti-replay mechanism of the IPsec protocol, because when packet B1having the sequence number of 1 is received at the destination node itwill be dropped since the duplicate sequence number potentiallyindicates a DoS attack. Thus, the contracted EF PHB for traffic stream Bis not achieved. It would be desirable to determine a method ofimplementing Diffsery in networks having nodes operating using the IPsecprotocol.

SUMMARY OF THE INVENTION

An improved method is described for providing Differentiated Services(Diffserv) traffic to a node in a network that implements a securitymethod that discards duplicate packets received at the node. The methodincludes the step of identifying at least two service levels to beprovided to received traffic and assigning different size look-backwindow counts to each of the service levels. The look-back window countindicates a number of packets that have been previously received at thenode that should be compared against a received packet to determinewhether a duplicate packet has been received. In one embodiment, aservice level that has higher priority is assigned a lower look-backwindow count and thus examines fewer previously received packets than aservice level having a lower priority. Such an arrangement reduces thepossibility that traffic having higher priority is dropped as a securitymeasure.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure is a diagram illustrating various fields of a header according tothe Internet Protocol;

FIG. 2 is a diagram illustrating various fields that are included in anAuthentication Header (AH) in the Internet Protocol Security (IPsec)protocol;

FIG. 3 is a packet flow diagram for illustrating how packets that arepart of Diffsery traffic are frequently dropped at nodes operating usingthe anti-replay mechanism of the IPsec protocol;

FIG. 4 is a conceptual block diagram of certain components that may beincluded in hardware or software at a host node operating according tothe present invention;

FIG. 5 is a packet flow diagram for illustrating how offering differingsize windows according to the present invention reduces the instances ofdiscard of Diffsery packets in systems operating under the IPsecprotocol; and

FIG. 6 is a block diagram of a sequence number buffer illustratingvarious window sizes that are assigned to various service levelsaccording to the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

A method and apparatus for supporting differentiated services (Diffserv)traffic at nodes that implement redundant packet discard securitymeasures to prevent Denial Of Service (DoS) attacks will be describedwith reference to the attached Figures and below specification.

Referring now to FIG. 4, some basic components of a networked node 50are shown to include a packet processor 56, a parser 52 and a packetbuffer 54. Although the components are shown as functional blocks, itshould be understood that the functionality described with regard toeach of the components may be implemented in either software, hardware,or a combination thereof, and the present invention is not limited toany specific implementation.

In general, the networked node receives incoming packets on line 53, andforwards the packets for temporary storage in the packet buffer 54. Thepacket processor 56, among other things, determines whether the packetstored in the buffer should be forwarded to memory (not shown) forfurther processing or to an output path (not shown) of the node. Inaddition, the packet processor sends signals to the packet buffer if itis determined that the packet should be discarded. The focus of thepresent invention will be specifically on the redundant packet discardsecurity measure that is often performed to minimize DoS attacks at anode. One example of a redundant packet discard security measure is theanti-replay mechanism of the Internet Protocol Security (IPsec)protocol. It should be understood that although the present invention isdescribed with regard to certain elements of the IPsec protocol, thepresent invention is not limited to operation under any specificprotocol.

According to one aspect of the present invention, a table of look-backwindow sizes 58 is provided. Each look-back window size is associatedwith a defined per hop behavior aggregate, such as Best Effort (BE), oneof a set of Assured Forwarding (AF) per hop behaviors, ExpeditedForwarding (EF) or the like. When an input packet is received at thenode, the DSC field is parsed from the IP header and forwarded to theDiffsery codepoint (DSC) table 57 to determine the contracted level ofservice associated with the traffic stream. There is a correlationbetween the DSC and the per hop behavior, although it may not be aone-to-one mapping, and other considerations, such as the type of packetas indicated in the identifier field 12 d of the IP header, the IPaddresses of the source and destination nodes, the protocol associatedwith the specific packet (as identified in field 12 h), and otherfactors may be used to map the packet to one of a set of per hopbehavior (PHB) aggregates. The present invention recognizes that theremay be many PHBs defined from many input fields of the packet, and thepresent invention should not be limited to any specific PHBs or methodsfor determining PHB aggregates. The alternative term of ‘service level’will be used interchangeably hereinafter with the term per hop behavioraggregate.

Logic at the node 50 operates generally as follows. When a packet isreceived at the node, the parser 52 strips the DSC field and thesequence number from the respective IP and Authentication headers. TheDSC field is used to obtain a portion of the per hop behavior mappinginformation, which is forwarded to the packet processor 56. The packetprocessor retrieves the look-back window size for the PHB from thereplay window table 58. The packet processor uses the window size todetermine how many previous sequence numbers should be compared with thecurrent sequence number to find a match. If a match is found within thiswindow, the current packet is discarded because it is a potential DoSattack. If no match is found, the packet is processed in accordance withthe remaining fields of the IP header.

For example, referring now to FIG. 5, assume that a node is implementinga security protocol that drops duplicate packets, but that the trafficthat flows through the network is Diffsery traffic having a variety ofservice levels. Using known Diffsery terminology, assume that thetraffic includes packets having Expedited Forwarding (EF) servicelevels, one Assured Forwarding (AF) service level, and a default BestEffort (BE) service level. Data traffic having EF service level has alook-back window size of eight sequence numbers/packets, while datahaving AF service level has a look-back window of twelve sequencenumbers/packets, and data having BE service level has a look-back windowof thirty two packets/sequence numbers.

In FIG. 5, source node 60 is transmitting a series of traffic streams A,B and C to destination node 70. Individual packets will be referred tohereinafter by their respective stream designations in combination withtheir sequence numbers (for example, as shown in FIG. 5 packet B1 isforwarded at time T16, packet A12 is forwarded at time T12, etc.) InFIG. 5, traffic stream A has a contracted Best Effort service level,traffic stream B has an Assured Forwarding service level, and trafficstream C has an Expedited Forwarding service level.

At time T1, packet A1 is transferred to destination node 70. Thetransmission of traffic stream A continues until time T16, when thesource node receives a higher priority traffic stream B. When thedestination node receives packet B1, the packet processor examines theDSC field and other information in the IP header to determine theservice level/PHB of the packet. As mentioned above, the service levelof traffic stream B is AF. Once the service level/PHB has beenidentified, the associated look-back window size is selected from thewindow table 58. When the look-back size is determined the node examinesthe sequence numbers that are associated with packet in the predefinedwindow to determine whether a match is made. Referring briefly to FIG.6, in one embodiment the sequence numbers of accepted packets are storedin the sequence number buffer 55, which is a first in first out (FIFO)buffer. When examining the FIFO 55, only those sequence numbers withinthe window are examined for the match. For example, in FIG. 6 only thosesequence numbers in window 61 are examined for higher priority traffic,only the sequence number in window 63 are examined for mid-prioritytraffic, and all sequence numbers are examined for default prioritytraffic. Any known method of quickly determining whether or not there isa match between the numbers can be used. As new sequence numbers arereceived, remaining sequence numbers are pushed down the buffer untileventually they are overwritten, or fall out of the buffer. The lengthof the sequence number buffer should correspond to the maximum look-backwindow size.

Referring back to FIG. 5, when packet B1 is received, the sequencenumbers of the previous twelve packets are examined for a match. In theexample of FIG. 5, there is no match, and the packet is not discarded.The transmission of stream B continues until at time T25 the source node60 starts to forward a third traffic stream C. In the example of FIG. 5,traffic stream C is high priority EF service level traffic, and thus hasa look-back window of only eight packets. The sequence numbers ofpackets B2-B9 are compared against the sequence number of packet C1, andas there is no match, the packet is not discarded.

Thus, a method and apparatus has been shown and described whereindifferent size windows are associated with different priority traffic toensure that the packets are not discarded due to redundant packetdropping security levels. Although certain sizes have been disclosedabove, it should be noted that the present invention is not limited toany specific look-back window size. Various considerations have to bemade by a user when making the decision for sizing, such as the type oftraffic generally seen at the node, the service levels offered by theservice provider, loading considerations at the node, and a variety ofother considerations (Jing, can you give me any general statements hereabout what data you might look to in determining appropriate windowsize>?)

Although the present invention has been particularly described withreference to the preferred embodiments thereof, it should be readilyapparent to those of ordinary skill in the art that changes andmodifications in the form and details may be made without departing fromthe spirit and scope of the invention. It is intended that the appendedclaims include such changes and modifications.

What is claimed is:
 1. A node for a packet communication network, thenode comprising: a communication interface configured to receive packetsfrom the communication network; and a packet processor coupled to thecommunication interface, the packet processor being configured: tocompare a sequence number associated with a received packet againstsequence numbers associated with a number of previously receivedpackets, the number of previously received packets having beendetermined responsive to a service level associated with the receivedpacket; and to discard the received packet in the event of a matchbetween the respective sequence number associated with any one of thenumber of previously received packets and the sequence number associatedwith the received packet.
 2. The node of claim 1, wherein the packetprocessor is configured to determine the service level associated withthe received packet in response to a differentiated services codepointassociated with the received packet.
 3. The node of claim 1, wherein thepacket processor is configured to be responsive to at least two servicelevels wherein the number of previously received packets determined fora higher priority service level is less than a number of previouslyreceived packets determine for a lower priority service level.
 4. Thenode of claim 3, wherein at least one of the service levels correspondsto an Expedited Forwarding (EF) per hop behavior.
 5. The node of claim3, wherein at least one of the service levels corresponds to an AssuredForwarding (AF) per hop behavior.
 6. The node of claim 3, wherein atleast one of the service levels corresponds to a Best Efforts (BE) perhop behavior.
 7. The node of claim 1, wherein the packet processor isconfigured to discard the received packet in the event of a match inaccordance with an Internet Protocol Security (IPsec) anti-replaymechanism.
 8. The node of claim 1, wherein the communication interfacecomprises a packet buffer configured to buffer received packets.
 9. Thenode of claim 1, wherein the communication interface comprises a packetparser configured to determine a respective sequence number associatedwith each received packet.
 10. The node of claim 1, comprising adifferentiated services code table configured to determine a respectivelevel of service associated with each received packet.
 11. The node ofclaim 1, comprising a table of look back window sizes configured toassociate a respective look back window size with each level of service.12. The node of claim 1, comprising a sequence number buffer configuredto buffer sequence numbers associated with previously received packets.